Home / Blog / Checklist
Checklist·2 min read·June 8, 2026

DPDP Act for Startups: Your 2026 Compliance Checklist

India's DPDP Act applies to your startup too — and most AI-built databases fail it. Here's the plain-English checklist of what your data setup must have.

If your app has Indian users, the Digital Personal Data Protection Act applies to you — startup or not. And here's the uncomfortable truth: most AI-generated backends fail it out of the box. The DPDP Act for startups isn't just big-company paperwork; the penalties run up to ₹250 crore, and "we're small" is not a defence.

The good news is that compliance is mostly a checklist, and a vibe-coded app can get there without a rebuild. Here's the plain-English version.

What the DPDP Act actually requires

Strip away the legalese and it comes down to a few principles:

  • Consent — you need clear, specific permission before collecting personal data.
  • Purpose limitation — only collect what you actually need, for a stated reason.
  • Right to erasure — users can ask you to delete their data, and you must be able to.
  • Security — you must protect personal data with "reasonable safeguards."
  • Accountability — you need to know what data you hold and where.

Where AI-built apps usually fail

Vibe-coded backends typically:

  • Store personal data with no consent record at all.
  • Have wide-open access rules (any logged-in user can read everyone's data).
  • Have no deletion path — there's no way to actually erase a user.
  • Keep data forever, with no retention policy.
  • Ship secrets and PII to places they shouldn't be.

Each of these is a direct DPDP gap.

Your DPDP startup checklist

  • Consent capture — a real, logged opt-in before collecting personal data
  • Data inventory — you know exactly what personal data you store and why
  • Row-level security — users can only access their own data
  • Deletion flow — a working "delete my account and data" path
  • Retention policy — old data is purged, not hoarded
  • Encryption + access control on personal data
  • A privacy policy that matches what your app actually does

You don't need a lawyer to start

Most of DPDP compliance is engineering, not legal — it's how your database is structured and who can touch the data. Fixing row-level security, adding a deletion path, and logging consent gets you most of the way there, and none of it requires rebuilding your product.

If you're not sure where you stand, our free DPDP compliance check audits your data model, access rules and PII handling, then tells you exactly what to fix.

Check my compliance free →

Vibe-coded an app that's breaking at scale? We'll audit it free in 48 hours.

Get my free audit

Keep reading

Checklist

Exposed .env File? How to Check and Fix It Fast

Guide

How to Take a Vibe-Coded MVP to Production Safely

Tutorial

Supabase RLS for Vibe Coders: The 5-Minute Crash Course